Skip to content

Commit

Permalink
overlay/boot-mount-generator: Mount /boot{,efi} read-only,nodev,nosuid
Browse files Browse the repository at this point in the history
ostree has had support for leaving `/boot` mounted read-only
for a long time: ostreedev/ostree#1767
(And then later extended to `/sysroot`)

Particularly for CoreOS, only a few things should be touching
`/boot`, and we control all of them.  Those projects should
create a new mount namespace and remount these partitions
writable just while they need it.

The main thing we're accomplishing here is making the system
more resilient against accidental damage from a sysadmin
root shell as well as configuration management tools like
Puppet/Ansible.  None of those should be directly manipulating
files on these partitions, they should go through the API
of one of our projects (e.g. `rpm-ostree kargs`, `bootupctl`) etc.

While we're here, also andd `nodev,nosuid` because some
OS hardening scanners like to see this.  IMO it's of minimal
value, but hey, might as well.
  • Loading branch information
cgwalters authored and kelvinfan001 committed Jan 6, 2021
1 parent 8c07b73 commit 7b576a3
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,9 @@ fi
mk_mount() {
local mount_pt="${1}"; shift
local label="${1}"; shift
local path="/dev/disk/by-label/${label}"
local options="${1}"; shift

local path="/dev/disk/by-label/${label}"
local unit_name=$(systemd-escape -p ${mount_pt} --suffix=mount)

eval $(udevadm info --query property --export "${path}")
Expand All @@ -61,6 +62,7 @@ After=systemd-fsck@${device}.service
[Mount]
What=${path}
Where=${mount_pt}
Options=${options}
EOF

add_wants "${unit_name}"
Expand All @@ -71,5 +73,22 @@ EOF
# ConditionPathExists won't work here because conditions don't affect
# the dependency on the underlying device unit.
if [ ! -f /run/ostree-live ]; then
mk_mount /boot boot
# We mount read-only by default mostly to protect
# against accidental damage. Only a few things
# owned by CoreOS should be touching /boot or the ESP.
# Use nodev,nosuid because some hardening guides want
# that even though it's of minimal value.
boot_mount_options=ro,nodev,nosuid
mk_mount /boot boot "${boot_mount_options}"

# Only mount the EFI System Partition on machines where it exists,
# which are 1) machines actually booted through EFI, and 2) x86_64
# when booted through BIOS.
if [ "$(uname -m)" = "x86_64" -o -d /sys/firmware/efi ]; then
# In the general case the ESP might have per-machine or private
# data on it. Let's not make it world readable on general
# principle.
# https://github.com/coreos/fedora-coreos-tracker/issues/640
mk_mount /boot/efi EFI-SYSTEM "${boot_mount_options},umask=0077"
fi
fi
13 changes: 9 additions & 4 deletions tests/kola/misc-ro
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,15 @@ if ip link | grep -o -e " eth[0-9]:"; then
fi
ok nic naming

if test -w /sysroot; then
fatal "found writable /sysroot"
fi
ok sysroot ro
for part in /sysroot /boot; do
if ! findmnt -n -o options ${part} | grep -q "ro,"; then
fatal "${part} is missing ro option"
fi
if test -w "${part}" || touch "${part}/somefile" 2>/dev/null; then
fatal "${part} is writable"
fi
done
ok read-only partitions

if ! lsattr -d / | grep -qe '--i--'; then
fatal "missing immutable bit on /"
Expand Down

0 comments on commit 7b576a3

Please sign in to comment.